Hi stable release managers,
please review apache2 2.2.3-4+etch6 for inclusion in etch r5. It fixes
a couple of minor security issues and two severe bugs for which the
patches had not received enough testing at time of the last upload.
apache2 (2.2.3-4+etch6) stable; urgency=low
* Fix CVE-2007-6388: XSS in mod_status
* Fix CVE-2008-2939: XSS in mod_proxy_ftp
* Fix CVE-2008-2364: DoS in mod_proxy_http
* Fix salt generation weakness in htpasswd (Closes: #489899)
* Fix processes hanging on graceful restart or shutdown with prefork
MPM.
* mod_cache: Handle If-Range correctly if the cached resource was
stale.
This fixes problems when using apt with mod_cache (closes:
#470652).
The full debdiff is at
http://www.sfritsch.de/~stf/2.2.3-4+etch6.debdiff
The fix for the graceful restart issue requires a _sourceful_ upload
of apache2-mpm-itk because the its patches will no longer apply
cleanly. Also, the version of apache2-mpm-itk in etch still has that
bug that it won't FTBFS if it can't apply the patches, but produce
broken binaries instead. That could be fixed in the same upload.
I can do the upload of apache2-mpm-itk after apache2 has been built on
all architectures, or sesse can do it if he wants to.
Cheers,
Stefan
Attachment:
signature.asc
Description: This is a digitally signed message part.